Re: [PATCH 07/12] spdm: Introduce library to authenticate devices

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 12 Oct 2023 09:16:29 +0200
Lukas Wunner <lukas@xxxxxxxxx> wrote:

> On Thu, Oct 12, 2023 at 03:26:44AM +0000, Alistair Francis wrote:
> > On Tue, 2023-10-03 at 15:39 +0100, Jonathan Cameron wrote:  
> > > On Thu, 28 Sep 2023 19:32:37 +0200 Lukas Wunner <lukas@xxxxxxxxx> wrote:  
> > > > This implementation supports SPDM 1.0 through 1.3 (the latest
> > > > version).  
> > > 
> > > I've no strong objection in allowing 1.0, but I think we do need
> > > to control min version accepted somehow as I'm not that keen to get
> > > security folk analyzing old version...  
> > 
> > Agreed. I'm not sure we even need to support 1.0  
> 
> According to PCIe r6.1 page 115 ("Reference Documents"):
> 
>    "CMA requires SPDM Version 1.0 or above.  IDE requires SPDM Version 1.1
>     or above.  TDISP requires version 1.2 or above."
> 
> This could be interpreted as SPDM 1.0 support being mandatory to be
> spec-compliant.  Even if we drop support for 1.0 from the initial
> bringup patches, someone could later come along and propose a patch
> to re-add it on the grounds of the above-quoted spec section.
> So I think we can't avoid it.

I checked with some of our security folk and they didn't provide a
reason to avoid 1.0.  It's not feature complete, but for what it does
it's fine.  So given the PCI spec line you quote keep it for now.
We should be careful to require the newer versions for the additional
features though. Can address that when it's relevant.

Jonathan
> 
> Thanks,
> 
> Lukas
> 




[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]
  Powered by Linux